new file mode 100644
@@ -0,0 +1,77 @@
+From 00907f0de29c87ca007bbb5889ff02b66cdfe700 Mon Sep 17 00:00:00 2001
+From: Clayton Casciato <ccasciato@21sw.us>
+Date: Mon, 5 May 2025 11:15:14 -0600
+Subject: [PATCH] systemd: allow systemd_generator_t use user ttys
+
+type=PROCTITLE
+proctitle=/usr/lib/systemd/system-generators/systemd-getty-generator
+/run/systemd/generator /run/systemd/generator.early /run/systemd/gene
+
+type=SYSCALL arch=armeb syscall=openat per=PER_LINUX success=yes exit=4
+a0=AT_FDCWD a1=0xbea41b28
+a2=O_RDWR|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW|O_CLOEXEC a3=0x0 items=0
+ppid=1106 pid=1109 auid=unset uid=root gid=root euid=root suid=root
+fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
+comm=systemd-getty-g
+exe=/usr/lib/systemd/system-generators/systemd-getty-generator
+subj=system_u:system_r:systemd_generator_t:s0 key=(null)
+
+type=AVC avc: denied { open } for pid=1109 comm=systemd-getty-g
+path=/dev/ttyAMA0 dev="devtmpfs" ino=2
+scontext=system_u:system_r:systemd_generator_t:s0
+tcontext=unconfined_u:object_r:user_tty_device_t:s0 tclass=chr_file
+
+type=AVC avc: denied { read write } for pid=1109 comm=systemd-getty-g
+name=ttyAMA0 dev="devtmpfs" ino=2
+scontext=system_u:system_r:systemd_generator_t:s0
+tcontext=unconfined_u:object_r:user_tty_device_t:s0 tclass=chr_file
+----
+type=PROCTITLE
+proctitle=/usr/lib/systemd/system-generators/systemd-getty-generator
+/run/systemd/generator /run/systemd/generator.early /run/systemd/gene
+
+type=SYSCALL arch=armeb syscall=ioctl per=PER_LINUX success=yes exit=0
+a0=0x4 a1=TCGETS a2=0xbea41ab0 a3=0xbea41ae4 items=0 ppid=1106 pid=1109
+auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root
+sgid=root fsgid=root tty=(none) ses=unset comm=systemd-getty-g
+exe=/usr/lib/systemd/system-generators/systemd-getty-generator
+subj=system_u:system_r:systemd_generator_t:s0 key=(null)
+
+type=AVC avc: denied { ioctl } for pid=1109 comm=systemd-getty-g
+path=/dev/ttyAMA0 dev="devtmpfs" ino=2 ioctlcmd=TCGETS
+scontext=system_u:system_r:systemd_generator_t:s0
+tcontext=unconfined_u:object_r:user_tty_device_t:s0 tclass=chr_file
+
+--
+
+Fedora:
+
+matchpathcon /usr/lib/systemd/system-generators/systemd-getty-generator
+
+system_u:object_r:systemd_getty_generator_exec_t:s0
+
+https://github.com/fedora-selinux/selinux-policy/commit/6adfc23f83c3b9078c0245c66095eb78f411bedd#diff-20413b38529167819e3ef86a39929b3638ea684202dc692282e633cd05065969R1322
+
+Signed-off-by: Clayton Casciato <ccasciato@21sw.us>
+
+Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/commit/930e04f861ab3e753ca831b0c3a1fe51f4b423f9]
+
+Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
+---
+ policy/modules/system/systemd.te | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 3e612d0b5..514ead9a8 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -622,6 +622,9 @@ udev_read_runtime_files(systemd_generator_t)
+ mls_file_read_to_clearance(systemd_generator_t)
+ mls_file_write_to_clearance(systemd_generator_t)
+
++# for systemd-getty-generator
++userdom_use_user_ttys(systemd_generator_t)
++
+ ifdef(`distro_gentoo',`
+ corecmd_shell_entry_type(systemd_generator_t)
+ ')
@@ -74,6 +74,7 @@ SRC_URI += " \
file://0056-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
file://0057-policy-modules-system-logging-make-syslogd_runtime_t.patch \
file://0058-policy-modules-services-oddjob-allow-oddjob_mkhomedi.patch \
+ file://0059-policy-modules-system-systemd-allow-systemd_generato.patch \
"
S = "${WORKDIR}/refpolicy"
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com> --- ...ystem-systemd-allow-systemd_generato.patch | 77 +++++++++++++++++++ .../refpolicy/refpolicy_common.inc | 1 + 2 files changed, 78 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy/0059-policy-modules-system-systemd-allow-systemd_generato.patch